PrivacyTraining_ad300x250.Promo1-01
Certification_CIPT_300x250final-01
What Makes a Good Privacy Officer?

Recently, as I was speaking to a talented group of law students, I was asked the above question. This has also been a related theme underlying some of the recent posts on the IAPP Privacy List. I’m not sure if this list is what those who want to enter the privacy field should cultivate in themselves, what current privacy officers are like or what we should be aiming for as a profession.

To build this list, I searched online for the top 10 traits or characteristics of compliance officers, salespeople, CEOs and managers. In essence, I could stop this blog entry now—that is what we are and should be: compliance officers, salespeople, CEOs, managers and let’s include janitors as well. In fact, let’s look at it that way: What job skills does one need to be an effective privacy officer? If we were to brew the perfect privacy officer, what career fields would we throw into the kettle?

Compliance Officers: In effect, this is what we are. We have a law, rule or regulation that we need to follow. We make sure the company follows this certain law, rule or regulation. We are a cost center. We do not make a profit for the company. We do, however, save the company lots of money. Please do funnel those horrible headlines past your executive committee to show them what you are worth.

A good privacy officer runs the department like a successful CEO. S/he needs vision, execution, organization, candor with compassion and pragmatism.

Sales: We sell. We sell compliance. We sell the need to do the right thing, even if there is no law, rule or regulation stating what we should do. We sell Privacy by Design. We sell having us in the opening bid of a project. We sell our benefit to the company. We identify the needs, the underlying support, the future benefit and our allies as well as our antagonists. We bring our persuasive skills to the table and close the deal.

CEOs: I borrowed material for this one from Stephen D. Simpson’s “Top Qualities of an Effective CEO.” A good privacy officer runs the department like a successful CEO. S/he needs vision, execution, organization, candor with compassion and pragmatism. S/he needs to be in the right markets at the right time, to drive hard bargains—but not too hard—and to manage for the future, not the mirror. If we as privacy officers are not in the right market at the right time, we miss the privacy boat. We get stranded on the privacy island or get voted off it.

Managers: I borrowed this one from Jacob Morgan’s “5 Must-Have Qualities of the Modern Manager.” As privacy officers, we must be good managers. We need to follow from the front and make sure our employees succeed—when we yell jump, jump with them. We must understand technology—especially in our digital world. We must lead by example, embrace vulnerability and believe in the collective intelligence. Rarely do people comply with a mandate because it is a mandate. Foster understanding in order to foster compliance.

Social Workers: Social workers serve an incredibly valuable role in our society—often dealing with vulnerable populations. To be an effective social worker, one needs empathy, dependability, patience and a slew of efficient, effective and inexpensive resources. S/he must be creative and open-minded yet willing to take on the challenges, including the drudgery of paperwork. Know when to walk quietly, carry a big stick and know when to run in the other direction—calmly and with authority.

Rarely do people comply with a mandate because it is a mandate. Foster understanding in order to foster compliance.

Investigators: Investigating is a natural fit for our job as we frequently are investigating complaints and breaches. But what traits do we need as investigators? We need to be perceptive, stubborn, questioning and detail-oriented. We need to keep good notes and be able to connect seemingly unconnected events and facts. We need to be inquisitive and not hesitate to ask the hard questions—out loud—sometimes just to hear how ridiculous they are.

Inventors: “Necessity is the mother of invention.” But it takes someone who is willing to think beyond preset boundaries and create something new. Perhaps it’s an easier way of doing something, or it involves making a program more streamlined and efficient—a little tweak that makes something much easier than it once was. Some privacy officers create a program from nothing, and others have nothing with which to run the program. Regardless, we all hope to see a return on investment.

Mechanics: Mechanics run the gamut of the shady-tree mechanic to the luxury jet mechanic, and so do privacy officers. Some have elite background and training, while others learned the trade organically and grew up with it. Neither one is better than the other. They’re just varied in credentials and background. But like me taking my car into the shop and duplicating the dinging it does when I take a left turn, colleagues don’t always know something is wrong with their data practices. It just sounds wrong. Privacy officers are left to identify what is broken, trusted to fix it and expected to keep the cost down—oh, and have it ready for pickup this afternoon with a full body detail and the tires done.

We need to be inquisitive and not hesitate to ask the hard questions—out loud—sometimes just to hear how ridiculous they are.

Airline attendants: Let’s be friendly, attractive and provide excellent service while keeping everyone safe. Smiling, yet firm. And yes, you have heard this a hundred times before: The plane may be different; the law is not. Just do what you need to do, correctly, when required, and we will make sure you get where you need to be. Oh, and don’t sit in the exit row unless you are willing to help everyone else. Coffee, anyone?

Janitors: Same garbage, different day. But if we weren’t here to clean it up, the world would be in a rough place.

This list is limited to 10 because 10 seems to be the magical number for such considerations, but I bet there are lots of others. What career field would you choose to compare to being a privacy officer? Picture yourself explaining your job to a bunch of six-year-olds … What do you say?

Written By

K Royal, CIPP/E, CIPP/US

21 Comments

If you want to comment on this post, you need to login
  • Lanita Collette Feb 20, 2014

    Does the perfect privacy officer have a law degree?

  • Lee Feb 20, 2014

    I was right with you until the airline attendant and one little word 'attractive' - strike this, and you have a perfect description, no law degree required. :-)

  • Name Ester Horowitz, Compliance Inc Feb 20, 2014

    I disagree with the statement that compliance is a cost center. If you really are a CEO mindset then you know how to use compliance to effective profitability not just save the company a ton of money in liabilities. I teach this all the time

  • K Feb 20, 2014

    Hi Lanita. No, the perfect privacy officer might not have a law degree. I do, as does many I know, but I also know some really good ones who do not. One thing I have noticed is that not all attorneys are good in a privacy or compliance role. It requires a little more or different *something* that not all attorneys have. It's the same as saying not all attorneys are good litigators. There is just a certain mindset or personality that is required. Knowledge can be learned/acquired. That personality or mindset, probably not so much.

  • K Feb 20, 2014

    Hi Lee, You don't know how much I agonized over that one little word, especially given that it used to be a requirement and no longer is due to discrimination claims. I left it in to see if anyone else would pick up on it and disagree. Thank you for doing so! - and thank you for the compliment.

  • K Feb 20, 2014

    Ester, You are so right. I, too, argue that compliance with laws permits companies to sell their widgets - therefore, we are not a burden, we are an enabler. Like HR, we contribute indirectly to profit (and their contribution is much more direct than ours). Unfortunately, this is an argument that will likely never end.

  • Name Pat Nelson Feb 20, 2014

    "Attractiveness" in this case doesn't necessarily mean physical beauty in any way, it could mean something as simple as not leaving the house looking like a hot mess. If a person can't pull themselves together professionally in front of the mirror, how will a company trust them to pull their compliance issues together professionally.

  • K Feb 20, 2014

    Pat, I LOVE that view! Thank you for eloquently interpreting something I could not define myself.

  • Cindy Compert Feb 20, 2014

    I would also add 'Technology Geek' to the mix- the ability to understand the organization's use of data at a technology level (high level) and what solutions are available to mitigate privacy concerns. If not directly an attribute of the privacy officer, then certainly a resource that can provide that perspective.

  • K Feb 20, 2014

    Cindy, Absolutely! We have to have some understanding of it, if not love, right? Although, I will confess, my IT people hate hearing me use the wrong terminology that I sometimes do it just to see them wince.

  • Chass Brown Feb 21, 2014

    Very good point. A very wise manager once told me to never leave the house without having your "leadership" on: face, hair and dress. Your credibility is 55% based on your LOOKS. You do not have to look like Gisele but you do need to be professional and dress the part you want to play.

  • K Feb 21, 2014

    Chass, you make a good point. I always heard "dress for two positions up" or "let them see what you'd look like in the role you want" - which is exactly what you are saying. I know someone who refuses to brush their teeth, wash their hair, or tend to other basic hygiene because he feels that people should respect him for his abilities not his looks. But no one wants to even try to get past the looks. Like Pat said above, if you can't pull yourself together, can you be trusted to pull together a department?

  • Tim Feb 21, 2014

    Interesting list, but I think you left out a very important skill. Teachers. As a whole, we function as teachers. Given that you ask how we would describe our roles when speaking to a bunch of six-year-olds, I find that teaching comes to mind more readily than some of your examples, albeit your examples are excellent.

  • Eric Chung Feb 21, 2014

    Thank you for the wonderful article K! Adding a often-heard role of a "fireman", fighting fire with the coolest of mind, and evocating fire prevention with the hottest of heart!

  • K Feb 21, 2014

    Thank you, Tim. We are teachers. And sometimes I think it would be easier to teach six-year-olds than some of the adults I have worked with.

  • K Feb 21, 2014

    Hi Eric, What a wonderful analogy! I did not even consider that profession, but it is so akin to what we do. How often do we lament that we are so busy putting out fires that we cannot get our day jobs done? And our day jobs should not be putting out fires, we would prefer to identify drought areas and do fire prevention. And thank you for the compliment. This was a fun and meaningful exercise to go through. It really did help identify necessary skills - and perhaps some that can go on the performance review or resume'.

  • Kate Feb 21, 2014

    I don't think "attractive" necessarily means in the physical sense. We do need to be someone people want to see and consult - not hide from. Smiling but firm - that's practically my motto!

  • K Feb 21, 2014

    Hi Kate, You bring up something that is so prevalent in our world - people need to put a friendly face to our name. They need to be able to know that they can come to us with a concern and we won't shoot the messenger (at least without due process and consideration). We do need to be someone people want to see and consult. I love your motto!

  • Rene' Feb 22, 2014

    Great article, quite creative and entertaining. You can tell by the people who comment that as privacy officers, we find it difficult to fully explain the scope of our roles. Sometimes, we ourselves, cannot put term to it. The article also captures the independent nature of our roles. We are not typical attorneys (for those who are attorneys), nor are we the typical compliance officer, who seems to reside many times with HR or regulatory. We are unique and you captured that well. For myself, I would add EMT or first responder, because we are often called in for an emergency and sometimes we can save the project and sometimes we pronounce its demise. But we must be ready to roll on an instant's notice with our knowledge sometimes the only tool at our disposal. I looked at your other articles as well and imagine the consternation your fresh perspective must bring to your co-workers, especially the other attorne

  • Scott Goss Mar 4, 2014

    I suggest adding brand manager and psychic to your list. A mere compliance mindset will only partially cover the privacy challenges facing modern companies. Compliance is the floor, but a successful CPO must go beyond the law and address risks to his/her company's reputation and trust that consumers and the public put into their products and services. A successful CPO must also be a bit of a psychic to anticipate where the law, industry best practices, and consumer sentiment is heading to help guide their company's next generation of products and services.

  • K May 7, 2014

    Scott, those are fabulous points. On the brand manager, I could not agree more. I have branded my privacy program although you are thinking larger. When there is a breach or someone strengthens their data protections, we look at the brand impact. On the psychic point...If I had a dollar for every time I wished I were psychic, I would not be a privacy officer!

Related